Closed
Bug 1901405
Opened 29 days ago
Closed 28 days ago
Assertion failure: offset <= (2147483647), at /root/src/js/src/jit/MIR.h:10241
Categories
(Core :: JavaScript: WebAssembly, defect)
Core
JavaScript: WebAssembly
Tracking
()
RESOLVED
DUPLICATE
of bug 1886703
People
(Reporter: nils.bars, Unassigned)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
159 bytes,
application/x-javascript
|
Details |
Steps to reproduce:
Checkout commit 15778b8c32f8535624fff2af36fc669e65a9af3 and invoke the js shell as follows:
/root/js-spidermonkey-shell --fuzzing-safe <testcase>
Actual results:
Assertion failure: offset <= (2147483647), at /root/src/js/src/jit/MIR.h:10241
Group: firefox-core-security → core-security
Component: Untriaged → JavaScript Engine
Product: Firefox → Core
Updated•29 days ago
|
Group: core-security → javascript-core-security
Comment 1•28 days ago
|
||
This is failing an assertion in the MWasmDerivedPointer
constructor.
Component: JavaScript Engine → JavaScript: WebAssembly
Comment 3•28 days ago
|
||
(In reply to Jan de Mooij [:jandem] from comment #2)
Maybe this is also similar to bug 1886703?
Yes, I'm pretty sure this is the same bug. I had hoped
that we could defer landing the fix for bug 1886703 for
a while, since it will conflict with ongoing work on lazy
tiering for wasm, but maybe we can't defer it any more.
Updated•28 days ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 28 days ago
Duplicate of bug: 1886703
Flags: needinfo?(ydelendik)
Resolution: --- → DUPLICATE
Updated•28 days ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•